Wix PCI compliance Limitations: What Store Owners Need to Know
Bottom Line Up Front
Just got a PCI compliance questionnaire from your payment processor and feeling overwhelmed? Here’s what you need to know: if you’re using Wix for e-commerce with their standard payment options, your Wix PCI limitations are actually minimal, and compliance is simpler than you think. Most Wix store owners qualify for SAQ A — the shortest and simplest compliance questionnaire with only 22 questions.
You’re not alone if that compliance email felt like it was written in another language. PCI compliance sounds intimidating, but for most small businesses, it’s a straightforward annual process that takes less time than filing your taxes. This guide breaks down everything in plain English: what PCI compliance means for your Wix store, which questionnaire you need to complete, and exactly how to get it done.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements that apply to anyone who accepts credit card payments. The major card brands — Visa, Mastercard, American Express, and Discover — created these standards through the PCI Security Standards Council to protect cardholder data from theft and fraud.
Think of it as a security checklist for handling credit cards. Just like health codes for restaurants or safety standards for daycare centers, PCI DSS ensures businesses follow basic security practices when dealing with payment information.
Your payment processor or acquiring bank (the company that handles your credit card transactions) enforces these requirements. That’s who sent you the compliance questionnaire, and that’s who’ll impose fines if you don’t comply. Non-compliance consequences include:
- Monthly fines from your processor (typically $20-$100 for small merchants)
- Liability for fraudulent charges if your business is breached
- Potential loss of ability to accept credit cards
- Higher transaction fees as a “non-compliant” merchant
The good news? Most small businesses, especially those using platforms like Wix, qualify for the simplest compliance paths. You’re not building Fort Knox — you’re just answering some basic questions about how you handle payments.
Do You Need to Be PCI Compliant?
Simple answer: If you accept credit cards in any form, yes.
It doesn’t matter if you process one transaction or one million. Online store? Yes. Physical retail location? Yes. Take orders over the phone? Yes. The moment you accept a credit card payment, PCI DSS applies to your business.
Your merchant level determines how much documentation you need to provide:
- Level 4: Under 20,000 e-commerce transactions OR under 1 million total transactions annually (most small businesses)
- Level 3: 20,000 to 1 million e-commerce transactions annually
- Level 2: 1 to 6 million total transactions annually
- Level 1: Over 6 million transactions annually
Most Wix store owners are Level 4 merchants, which means you complete a Self-Assessment Questionnaire (SAQ) rather than hiring an external assessor.
That compliance questionnaire your processor sent? It’s their way of ensuring you’re following PCI requirements. They need this documentation annually to show the card brands that their merchants are secure. Ignore it, and you’ll start seeing compliance fees on your monthly statements.
Which SAQ Do You Need?
The SAQ is your main compliance document — a questionnaire where you confirm your security practices. There are different versions based on how you accept payments:
| Payment Method | SAQ Type | Questions | Complexity |
|---|---|---|---|
| Wix with Wix Payments or PayPal checkout | SAQ A | 22 | Simple |
| Physical terminal only (no e-commerce) | SAQ B | 41 | Simple |
| Terminal with IP connection | SAQ B-IP | 82 | Moderate |
| Call center/phone orders only | SAQ C-VT | 85 | Moderate |
| Manual entry into virtual terminal | SAQ C | 160 | Complex |
| Store card numbers locally | SAQ D | 329 | Very Complex |
For Wix store owners, the path is usually clear:
If you use Wix Payments, PayPal, or Stripe with their hosted checkout → You qualify for SAQ A. Your customers enter card details on a payment page hosted by the payment provider, not on your Wix site. You never see or touch the actual card numbers.
If you also have a physical store with a card terminal → You might need SAQ B or SAQ B-IP for that location, in addition to SAQ A for your online store.
If you manually enter card numbers (like taking phone orders and typing them into Wix) → You’ll need SAQ C-VT or SAQ C.
Not sure which one applies? PCICompliance.com’s SAQ Wizard asks you a few simple questions about your payment setup and tells you exactly which questionnaire you need — no guesswork required.
How to Complete Your SAQ
Your SAQ is a series of yes/no questions about your payment security practices. For SAQ A (most common for Wix stores), you’re answering questions like:
- “Do you redirect customers to a third-party payment page?” (Yes, if using Wix Payments)
- “Have you documented which third-party provider handles your payments?” (Yes, and it’s Wix/PayPal/Stripe)
- “Do you review your payment page regularly to ensure the redirect is working?” (Yes, and here’s how often)
Here’s what you’ll need:
1. Your payment flow documentation — Screenshots showing how customers pay on your site
2. Your service provider list — Who handles your payments (Wix, PayPal, etc.)
3. Basic security policies — Even informal ones count, like “only the owner processes refunds”
The quarterly ASV scan might sound technical, but it’s just an automated security check of your website. An Approved Scanning Vendor runs software that looks for common vulnerabilities. For Wix-hosted sites, these scans typically pass without issues since Wix handles the infrastructure security. You’ll need to:
- Provide your website URL to the ASV
- Run the scan quarterly (every 90 days)
- Fix any failures (rare with Wix) and rescan
- Submit passing scans with your annual SAQ
Once complete, you’ll sign an Attestation of Compliance (AOC) — basically a cover sheet stating you’ve completed the requirements. Submit both the SAQ and AOC to your payment processor, and you’re done for the year.
What It Costs
Compliance platform fees:
- SAQ tools and wizards: $150-$500/year for small merchants
- Some processors include basic tools free
- PCICompliance.com starts at $19/month for Level 4 merchants
ASV scanning:
- Required quarterly for most SAQ types
- $30-$100 per scan, or $150-$400 annually
- Often bundled with compliance platforms
Professional help (if needed):
- QSA consultation: $200-$500/hour (rarely needed for SAQ A)
- Full QSA assessment: $15,000+ (only for Level 1 merchants)
Cost of NON-compliance:
- Monthly processor fines: $20-$100 for small merchants
- Breach liability: Average small merchant breach costs $35,000+
- Lost processing ability: Priceless (literally — you can’t accept cards)
For most Wix store owners completing SAQ A, expect to spend $300-$600 annually on compliance — less than a single month’s non-compliance fine from your processor, and far less than dealing with a breach.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done checkbox — it’s an annual requirement with quarterly components. Your processor will ask for updated documentation every year, and you’ll need passing ASV scans every quarter.
Set these reminders now:
- Annual SAQ due date (check your processor’s requirement)
- Quarterly ASV scans (every 90 days from your first scan)
- Annual review of payment providers and processes
Changes that trigger a new assessment:
- Switching payment processors
- Adding new payment methods
- Changing how you handle card data
- Major website platform changes
PCICompliance.com’s compliance dashboard tracks all these dates automatically, sending reminders before deadlines and maintaining your compliance history in one place. No more scrambling when your processor sends that annual reminder.
FAQ
What happens if I ignore the compliance questionnaire?
Your payment processor will start adding non-compliance fees to your monthly statement — typically $20-$100 per month for small merchants. Eventually, they may increase your transaction rates or terminate your ability to accept cards. It’s much easier (and cheaper) to just complete the questionnaire.
Do I need to be PCI compliant if I only use PayPal?
Yes. If you accept credit cards through PayPal, you still need to comply with PCI DSS. However, using PayPal’s hosted checkout qualifies you for SAQ A, the simplest questionnaire.
What’s the difference between PCI compliance and SSL certificates?
An SSL certificate encrypts data between your customer’s browser and your website. PCI compliance is a comprehensive set of security requirements that includes encryption but covers much more — like access controls, security policies, and regular monitoring.
Can Wix handle PCI compliance for me?
Wix handles the security of their platform and infrastructure, but you’re still responsible for completing your annual SAQ and maintaining compliance. Think of it like renting a secure building — the landlord provides security features, but you still need to lock your office door.
How long does it take to complete SAQ A?
Most merchants complete SAQ A in 30-60 minutes once they understand the questions. Gathering documentation might take another hour. It’s an afternoon project, not a week-long ordeal.
What if I fail my ASV scan?
Don’t panic. ASV scans often flag minor issues that are easily fixed. Your scan report will list specific vulnerabilities to address. For Wix sites, failures are rare since Wix manages the hosting infrastructure.
Do I need to hire a QSA?
Most Wix store owners don’t need a QSA. Level 4 merchants (under 20,000 e-commerce transactions annually) self-assess using the SAQ. Only Level 1 merchants require a full assessment by a QSA.
What about storing customer information for returns?
Storing full credit card numbers requires SAQ D compliance — the most complex level. Instead, keep only the last four digits and transaction IDs. Your payment processor can handle returns with just the transaction reference.
Conclusion
Understanding Wix PCI limitations doesn’t have to be overwhelming. For most Wix store owners, PCI compliance means completing a simple SAQ A questionnaire annually, running quarterly security scans, and following basic security practices you’re probably already doing.
The key is knowing which requirements apply to your specific setup and staying organized with your compliance documentation. PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans, and our compliance dashboard tracks your progress year-round. Start with the free SAQ Wizard or talk to our compliance team to get your Wix store compliant today.
Remember: PCI compliance isn’t about perfection — it’s about following established security practices to protect your customers’ card data. Take it one step at a time, and you’ll find it’s much more manageable than that initial compliance email made it seem.
